Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneMrrobot2050H1:2467232
HistoryApr 17, 2024 - 1:32 p.m.

Liberapay: Unsafe yaml load can lead to remote code execution

2024-04-1713:32:57
mrrobot2050
hackerone.com
28
liberapay
yaml
python object
remote code execution
bug bounty
security vulnerability

7.1 High

AI Score

Confidence

High

JSON

TL;DR
Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source.

Proof of concept
https://github.com/liberapay/liberapay.com/blob/master/liberapay/testing/vcr.py#L40

How do I fix it?
Always use yaml.safe_load(). This function limits this ability to simple Python objects like integers or lists.

If you have any questions
please comment on the report

best regards
mrrobot2050

Impact

Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source.

7.1 High

AI Score

Confidence

High

JSON